The well known Internet Protocol (“IP”) provides a method for routing information over the Internet. Protocols for converting and routing voice conversations via any IP-based protocol are termed Voice Over Internet Protocol (“VOIP”). To date, most VOIP implementations have not been optimally secured.
One existing technology applicable to VOIP protection includes public key cryptography. The well known Diffie-Hellman (“DH”) key agreement method exemplifies the type of public key cryptography that could be used in securing VOIP. DH includes all variants of DH, including, for example, the classic finite field DH (“FFDH”) approach as well as the elliptic curve DH approach (“ECC-DH”). In addition, a public key infrastructure (“PKI”) could be used. A PKI enables users of a public network such as the Internet to securely exchange information through the use of a public and private cryptographic key pair. In many approaches, security is enhanced by provisioning and sharing the key pair via a trusted authority. A PKI provides for digital certificates that can identify individuals or organizations. Unfortunately, PKI technology includes many complexities, including notions of a certification authority (CA), a registration authority (RA), one or more directories where the certificates (with their public keys) are held, and a certificate management system. The CA often is required to be a trusted entity that issues and verifies digital certificates. A digital certificate is an electronic data element that evidences an entity's credentials. The certificate can include the public key or information about the public key, as well as other information, such as a name, serial number, expiration dates, and a digital signature of the certificate authority. Digital certificates may be kept in registries so that authenticated users can look up other users' public keys.
Securing public switched telephone network (“PSTN”) phones is well known. For example, the TSD 3600 from AT&T Corporation uses several of the techniques discussed in further detail below, including hash commitment and DH key exchange. Most secure phones rely on a DH public key exchange to agree on a common session key. For example, as shown in FIG. 1, User A 102 can use VOIP software 108 executing on computing device 106 to communicate with User B 104. User B uses bump-in-the-cord VOIP 112 with Ethernet-based phone 110. As shown in FIG. 1, DH is susceptible to a man-in-the-middle (“MitM”) attack. In such an attack, MitM 130 intercepts communications from User A 102 to User B 104 and, in effect, carries on two different communications sessions—one with User A via device MitMA 132 and one with User B via device MitMB 134. In doing so MitM 130 makes it appear that User A 102 and User B 104 are communicating directly, when in fact MitM is secretly eavesdropping on their communication. Due to the possibility of the MitM attack shown in FIG. 1, a way to authenticate the DH exchange is commonly provided. Some systems accomplish this by depending on digital signatures backed by a centrally-managed PKI. The complexity of PKI, however, results in significant technology commitments, time requirements and budget commitments, both at initial deployment and during ongoing operations. A preferred alternative would be to avoid PKI altogether, especially when developing secure commercial products.
Consequently, many commercial secure phones augment a DH exchange with a voice authentication digest (“VAD”), combined with a hash commitment at the start of the key exchange, to shorten the length of VAD material that must be read aloud. A VAD (also known as a short authentication string) consists of a short string or value that two users can exchange verbally to authenticate their connection and help protect against MitM attacks. Hash commitment refers to the use of an agreed-upon cryptographic hash to shorten the VAD material. No PKI is required for this approach to authenticating the DH exchange. The AT&T 3600, Eric Blossom's COMSEC secure phones, PGPfone from PGP Corporation, and Cryptophone from GSMK mbH are all examples of products that utilize this simpler lightweight approach.
Certain problems exist with the VAD and hash commitment approach, however, including inattentive users who may not execute the voice authentication procedure or unattended secure phone calls to answering machines that cannot execute the voice authentication procedure. Additionally, a VAD must be employed for each call between users.
What is needed, then, is a method for allowing a user to easily establish multiple trusted VOIP communication sessions with other previously-authenticated users without the need to perform a voice authentication for each VOIP communication session. Such a method should not rely on intermediaries or complex infrastructure technology and should easily allow authentication of future calls.